b'  CONTROLS FOR THE ELECTRONIC DATA INTERCHANGE AT\n    THE DEFENSE FINANCE AND ACCOUNTING SERVICE\n                     COLUMBUS\n\nReport No. D-2001-095                          April 6, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c Additional Copies\n\n To obtain additional copies of this audit report, visit the Inspector General, DoD, Home\n Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports Distribution\n Unit of the Audit Followup and Technical Support Directorate at (703) 604-8937 (DSN\n 664-8937) or fax (703) 604-8932.\n\n Suggestions for Audits\n\n To suggest ideas for or to request audits, contact the Audit Followup and Technical\n Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932. Ideas\n and requests can also be mailed to:\n\n                     OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Inspector General, Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n Defense Hotline\n\n To report fraud, waste, or abuse, contact the Defense Hotline by calling (800) 424-9098;\n by sending an electronic message to Hotline@dodig.osd.mil; or by writing to the\n Defense Hotline, The Pentagon, Washington, DC 20301-1900. The identity of each\n writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD (C3I)            Assistant Secretary of Defense for Command, Control, Communications\n                        and Intelligence\nCCR                  Central Contractor Registry\nDEBX                 Defense Electronic Business Exchange\nDFAS                 Defense Finance and Accounting Service\nDISA                 Defense Information Systems Agency\nDITSCAP              DoD Information Technology Security Certification and Accreditation\n                        Process\nEDI                  Electronic Data Interchange\nJECPO                Joint Electronic Commerce Program Office\nMOCAS                Mechanization of Contract Administration Services\nSAMMS                Standard Automated Materiel Management System\n\x0c\x0c                      Office of the Inspector General, DoD\n\nReport No. D-2001-095                                                 April 6, 2001\n (Project No. D2000FG-0057.01)\n\n            Controls for the Electronic Data Interchange at the\n            Defense Finance and Accounting Service Columbus\n\n                                 Executive Summary\n\nIntroduction. On May 21, 1997, the Under Secretary of Defense (Comptroller)\ndirected the move to a paper-free contracting process which would modernize the\nacquisition processes of contract writing, administration, finance, and auditing. In\n1998, the Joint Electronic Commerce Program Office assumed a lead role in the\nElectronic Data Interchange as part of the DoD Paper-Free Contracting Initiative. The\nElectronic Data Interchange sends and receives contract payment information from\ncomputer to computer in a standard format, thus allowing documents to be received,\nvalidated, accepted, and immediately processed. Electronic Data Interchange was\ndesigned to reduce the amount of paper used and stored by DoD contracting personnel,\nreduce the contract payment cycle time, and facilitate the sharing of information among\nGovernment and commercial communities. In essence, Electronic Data Interchange\nshould eliminate the need to use paper documentation to enter contract data in contract\npay systems and financial data in accounting systems. Defense Finance and Accounting\nService Columbus personnel rely on the information accessed from the Electronic Data\nInterchange to make an average of 1.2 million payments (344,000 for Mechanization of\nContract Administration Services System and 922,000 for Standard Automated Materiel\nManagement System) yearly totaling approximately $40 billion.\n\nThe Director, Defense Finance and Accounting Service Columbus, requested that we\nreview the Electronic Document Access System and the Electronic Data Interchange to\ndetermine whether sufficient safeguards were in place to verify the accuracy of\nelectronically transmitted contractual data. We issued a report on the Electronic\nDocument Access System that recommended that the security responsibilities and\nDefense Finance and Accounting Service security and training requirements for the\nElectronic Document Access System be defined, and that an end-to-end assessment of\nsystem security be completed.\n\nObjectives. The audit objective was to determine whether the security of the\nElectronic Data Interchange was adequate. The audit included reviews of selected\nsecurity controls, compliance with the Chief Financial Officers Act requirements, and\nthe management control program as it related to the overall objective. The report\ndiscusses the Defense Finance and Accounting Service implementation of the Electronic\nData Interchange as it applies to the Defense Finance and Accounting Service\nColumbus general controls.\n\nResults. The Joint Electronic Commerce Program Office security controls over\nElectronic Data Interchange were not sufficient to provide reasonable assurance that the\nDefense Finance and Accounting Service Columbus contract payments were accurate.\nSpecifically, the Defense Information Systems Agency performed security test and\nevaluations on the Electronic Data Interchange in 1999 and 2000 that resulted in\n\x0c31 findings, which remain open. Further, the security test and evaluations were based\non security agreements that did not include input from the Defense Finance and\nAccounting Service. Unless corrective actions are taken, data transmitted through the\nElectronic Data Interchange could be subject to undetected alteration and misuse. The\nlack of a complete security agreement and a security test and evaluation based on that\nagreement increased the risk of data inaccuracy because security controls were not\nsufficient. See the Finding section of the report for details on the audit and Appendix A\nfor details of the review on the management control program.\n\nSummary of Recommendations. We recommend that the Director, Joint Electronic\nCommerce Program Office, coordinate with the Defense Finance and Accounting\nService and the Defense Information Systems Agency to update the security agreement\nfor Electronic Data Interchange to incorporate security requirements and the assessment\nof the risks associated with using Electronic Data Interchange. We also recommend\nthat the Director, Joint Electronic Commerce Program Office, perform an independent\nElectronic Data Interchange security test and evaluation, based on an updated security\nagreement, incorporate the security requirements outlined in the security agreement in\nthe Defense Finance and Accounting Service trading partner agreements for the data\noriginating sites, and initiate corrective action to close the 31 open security test and\nevaluation findings.\n\nManagement Comments. The Joint Electronic Commerce Program Office concurred\nwith coordinating with the Defense Finance and Accounting Service and the Defense\nInformation Systems Agency to update the security agreement for the Electronic Data\nInterchange, performing an independent Electronic Data Interchange security test and\nevaluation based on the updated security agreement, and incorporating the security\nrequirements outlined in the security agreement in the Defense Finance and Accounting\nService trading partner agreement. However, the Joint Electronic Commerce Program\nOffice partially concurred with closing 31 open security test and evaluation findings,\nstating that the 31 findings are outdated because they are the result of a security test and\nevaluation done in 1999. A new security test and evaluation was conducted\nOctober 2 through 6, 2000. See the Finding section of the report for details on the\nmanagement comments and the management comments section for the complete text of\nmanagement comments.\n\nAudit Response. Comments from the Joint Electronic Commerce Program Office\nwere responsive. However, comments regarding the 31 open security findings stated\nthat another security test and evaluation was conducted in October 2000 which resulted\nin 21 security findings. Of the 21 security findings, 5 are expected to remain open.\nWe request that the Joint Electronic Commerce Program Office explain the impact that\nthe remaining five security findings will have on the security of the Electronic Data\nInterchange as well as provide an anticipated closing date for the remaining five\nsecurity findings. We also request that the Joint Electronic Commerce Program Office\nprovide written comments that address the verbal agreement made by the Defense\nFinance and Accounting Office and the Joint Electronic Commerce Program Office\nregarding the Defense Finance and Accounting Service trading partner agreements.\nTherefore, we request additional comments to the final report by June 6, 2001.\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                                 i\n\nIntroduction\n     Background                                                                  1\n     Objective                                                                   4\n\nFinding\n     Adequacy of Security Controls Over the Use of Electronic Data Interchange   5\n\nAppendixes\n     A. Audit Process                                                            12\n          Scope                                                                  12\n          Methodology                                                            13\n          Management Control Program Review                                      13\n     B. Prior Coverage                                                           15\n     C. Report Distribution                                                      16\n\n\nManagement Comments\n     Defense Information Systems Agency                                          19\n\x0cBackground\n    The Director, Defense Finance and Accounting Service (DFAS) Columbus,\n    requested that we review the use of Electronic Document Access and Electronic\n    Data Interchange (EDI) to determine whether sufficient safeguards are in place\n    to verify the accuracy of electronically transmitted contractual data. We issued\n    the draft report, \xe2\x80\x9cGeneral Controls Over the Electronic Document Access\n    System\xe2\x80\x9d on August 25, 2000. The report stated that the security responsibilities\n    and DFAS security and training requirements for the Electronic Document\n    Access System have not been defined, and an end-to-end assessment of system\n    security has not been completed.\n\n    Paper-Free Contracting Initiative. On May 21, 1997, the Under Secretary of\n    Defense (Comptroller) directed the move to a paper-free contracting process to\n    simplify and modernize the acquisition process in contract writing,\n    administration, finance, and auditing.\n\n    Joint Electronic Commerce Program Office. To support the paper-free\n    contracting initiative, the Deputy Secretary of Defense, under Defense Reform\n    Initiative Directive 43, \xe2\x80\x9cDefense-Wide Electronic Commerce,\xe2\x80\x9d May 20, 1998,\n    directed the establishment of the Joint Electronic Commerce Program Office\n    (JECPO). JECPO acts as a primary entity under the policy direction of the\n    Assistant Secretary of Defense for Command, Control, Communications, and\n    Intelligence (ASD [C3I]) to integrate electronic commerce in DoD.\n\n    Electronic Data Interchange Responsibility. From 1993 to 1998, the Defense\n    Information Systems Agency (DISA) managed EDI and made it available for use\n    at DFAS Columbus. On November 24, 1998, ASD (C3I) selected JECPO to\n    implement DoD electronic commerce. Also in 1998, EDI management was\n    passed to JECPO as part of the paper-free contracting initiative. As managers\n    of electronic commerce, JECPO is responsible for developing security standards\n    for the certification and accreditation of EDI.\n\n    DoD System Certification and Accreditation Process. DoD Manual 5200.40,\n    \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation Process\n    (DITSCAP) Application Manual,\xe2\x80\x9d December 1999, (the accreditation process),\n    establishes standards for certifying and accrediting the security of DoD systems\n    throughout their life cycle. The certification supports the accreditation process\n    that determines whether a system is designed and implemented to meet a set of\n    specified security requirements. The accreditation is a formal declaration by a\n    designated approving authority that an information technology system is\n    approved to operate in a particular security mode using a prescribed set of\n    safeguards. Before a system can be certified and accredited, the accreditation\n    process requires the completion of a system security authorization agreement\n    (security agreement) and a security test and evaluation.\n\n            System Security Authorization Agreement. The security agreement is\n    a formal binding agreement among the designated approving authority, the\n    certification authority, information technology system representatives, and the\n    program manager. For EDI, the Program Manager, Information Assurance\n    Program Management Office, DISA is the designated approving authority. The\n    DISA Deputy Director for ASD (C3I) Program Integration is the certification\n                                        1\n\x0c          authority; DFAS is the user representative; and JECPO is the program manager.\n          The security agreement specifies the level of security required when the system\n          development begins or when changes to a system are made. The security\n          agreement is designed to fulfill the requirements for a security plan and to meet\n          all the needs for certification and accreditation support documentation.\n\n          The security agreement consists of the system mission, threats to the system,\n          target environment, target architecture, security requirements, and applicable\n          data access policies and resources. Using the security agreement, the decision\n          approving authority determines the accreditation based on the security\n          safeguards, risk, corrective actions, and compliance with the security\n          agreement.\n\n                   Security Test and Evaluation. The DITSCAP requires a security test\n          and evaluation to be performed in order to evaluate implementation of system\n          security. This security test and evaluation will verify that automated security\n          features affecting confidentiality, integrity, and availability have been\n          implemented according to the security agreement, are performing properly, and\n          provide the required security features. The performance of a security test and\n          evaluation may be a joint effort among the users, systems administrator, and\n          program management. In the case of EDI, the security test and evaluation\n          should consist of DFAS, DISA, JECPO, and data originating sites. The results\n          of the initial security test and evaluation are included in the security agreement\n          that is provided to the designated approving authority for certification and\n          accreditation.\n\n          Benefits of Electronic Data Interchange. EDI is the electronic exchange of\n          information between two business concerns (trading partners), in a specific\n          predetermined format. Traditionally, the focus of EDI activity has been on the\n          replacement of paper business forms, such as purchase orders and invoices, with\n          electronic forms. EDI was designed to reduce the amount of paper used and\n          stored by DoD contracting personnel, reduce the contract payment cycle time,\n          and facilitate the sharing of information among Government and commercial\n          communities. In essence, EDI should eliminate the need to use paper\n          documents to enter contract data in contract pay systems and financial data in\n          accounting systems.\n\n          DFAS Use of Electronic Data Interchange. DFAS uses EDI to submit\n          information to its contract payment systems.1 DFAS Columbus personnel rely\n          on the information accessed from EDI to make an average of 1.2 million\n          payments (344,000 for Mechanization of Contract Administration Services\n          [MOCAS] and 922,000 for Standard Automated Materiel Management System\n          [SAMMS]) yearly totaling approximately $40 billion. Based on the analysis\n          performed on information provided by DFAS, 48 percent of the contract\n          invoices received by MOCAS and SAMMS were paid using EDI.\n\n\n\n\n1\n    MOCAS and SAMMS are DFAS payment processing systems.\n\n                                               2\n\x0c            Electronic Data Interchange Flow. The following figure describes the EDI\n            process and the flow of data through EDI.\n\n\n\n\n            In order to make a contract payment from MOCAS or SAMMS, DFAS receives\n            images of contracts and receiving reports2 from DoD sites, as well as images of\n            invoices from contractors through EDI. EDI translates the data into the\n            American National Standards Institute Accredited Standard Committee X12\n            format (the X12 format).3 Once the data have been translated into the X12\n            format, they are forwarded through the Non-secure Internet Protocol Routing\n            Network to the DoD unclassified data communication network into the Defense\n            Business Exchange (DEBX) located in Columbus, Ohio. The DEBX then\n            forwards the data into the DFAS Columbus Gateway, which translates the data\n            from the standard X12 format into files for use by MOCAS and SAMMS\n            payment processing systems.\n\n\n\n\n2\n    The receiving reports confirm to DFAS that the item or service on a contractor\xe2\x80\x99s invoice has been\n    received or rendered satisfactorily.\n3\n    DoD accepts X12 as the standard format for electronic business transactions.\n                                                      3\n\x0cObjective\n    The audit objective was to determine whether security for EDI was adequate.\n    The audit included reviews of selected security controls, compliance with the\n    Chief Financial Officers\xe2\x80\x99 Act requirements, and the management control\n    program as it related to the overall objective. This report discusses JECPO and\n    DFAS Columbus implementation of controls over EDI. Refer to Appendix A\n    for a discussion of the management control program and Appendix B for prior\n    audit coverage.\n\n\n\n\n                                       4\n\x0c           Adequacy of Security Controls Over the\n           Use of Electronic Data Interchange\n           Security controls over the use of Electronic Data Interchange at the\n           Defense Finance and Accounting Service Columbus were not sufficient\n           to provide reasonable assurance that contract payments were accurate.\n           The Defense Information Systems Agency performed security test and\n           evaluations on the Electronic Data Interchange in 1999 and 2000 that\n           resulted in 31 findings, which remain open. Further, the security test\n           and evaluations were based on security agreements that did not include\n           input from the Defense Finance and Accounting Service. The lack of\n           security controls occurred because the Joint Electronic Commerce\n           Program Office and the Defense Finance and Accounting Service have\n           not addressed security over the Electronic Data Interchange to include\n           performing an assessment to identify the risks associated with the use of\n           the Electronic Data Interchange or effectively testing controls over the\n           Electronic Data Interchange process. As a result, data obtained through\n           Electronic Data Interchange may be subject to undetected alteration and\n           misuse. Additionally, the lack of a security agreement and a valid\n           security test and evaluation increased the risk of data inaccuracy and that\n           implemented security may not have operated as intended.\n\nGuidance and Responsibility for Information Systems\n    Electronic Commerce Responsibilities. In Defense Reform Initiative Directive\n    No. 43, the ASD (C3I) designated JECPO as the DoD-wide organization to\n    oversee implementation of electronic commerce initiatives. DFAS and DISA\n    also play a prominent role in EDI use. DFAS uses EDI to provide data for\n    contract payment processing. DISA provides the infrastructure upon which EDI\n    operates.\n\n    DoD System Security Requirement. DoD Directive 5200.28, \xe2\x80\x9cSecurity\n    Requirements for Automated Information Systems (AIS),\xe2\x80\x9d March 21, 1988,\n    provides guidance on mandatory minimum automated information system\n    security requirements. The Directive requires the heads of DoD Components to\n    verify that periodic independent reviews of the security and protection of their\n    automated information system are accomplished to ensure compliance with\n    stated security goals.\n\n    EDI Guide. DFAS Columbus issued the Electronic Data Interchange Guide on\n    November 4, 1999. The guide contains information pertaining to all current\n    DFAS Columbus EDI transactions. It explains the EDI registration process,\n    format used, and participation requirements (including the trading partner\n    agreements that explain the responsibility of each participant). However, the\n    trading partner agreements do not discuss security.\n\n\n\n\n                                        5\n\x0cEstablishing EDI Security Controls\n     Security controls over the use of EDI at DFAS Columbus were not sufficient to\n     provide reasonable assurance that contract payments were accurate.\n     Documentation needed to support the completion of a risk assessment is\n     inadequate. The DITSCAP provides the guidance to assess the risks of\n     operating a system and to determine whether a system can be accredited and\n     certified for use. Specifically, the DITSCAP mandates that information systems\n     managers prepare a system security authorization agreement to document how\n     the system will operate and the risks of operating the system. The risks\n     documented in the security agreement are validated through a security test and\n     evaluation. As a result of a successful security test and evaluation, the system\n     can be certified and accredited for use. If the system does not pass the security\n     test and evaluation the designated approving authority can require that changes\n     be made to the system or grant a 1-year interim authority to operate. The\n     DISA-designated approving authority can issue the interim authority to operate\n     when the benefits of using the system are greater than the security risks\n     discovered in the security test and evaluation. JECPO did not follow this\n     process.\n\n     1998 EDI Security Agreement. In 1998, DISA began preparing an EDI\n     security agreement. Also, in 1998, JECPO assumed management of EDI.\n     JECPO, however, did not complete the EDI security agreement because\n     according to the JECPO Deputy Director, controls over paperless transactions\n     should be no greater than the controls over paper transactions. Therefore,\n     JECPO personnel assumed that a completed security agreement was not\n     necessary. Because the security agreement establishes and documents the\n     operating risks of a system, without a complete security agreement, the EDI\n     operating risks were unknown.\n\n     In September 1999, DISA performed a security test and evaluation on EDI\n     based on an incomplete security agreement. The DITSCAP requires that the\n     DISA-designated approving authority review the security agreement which\n     includes the results from the assessments and evaluations performed on the\n     system, prior to granting authority to operate or an interim authority to operate.\n     However, the DISA-designated approving authority issued an interim authority\n     to operate in September 1999 although the security test and evaluation was\n     based on an incomplete security agreement. The DISA-designated approving\n     authority later extended the interim authority to operate through October 31,\n     2000. The DISA-designated approving authority did not follow the certification\n     and accreditation process outlined in the DITSCAP. Although the security test\n     and evaluation was based on an incomplete security agreement, the security test\n\n\n\n\n                                          6\n\x0c            and evaluation disclosed 21 security findings, which concentrated on important\n            parts of the EDI flow, the DEBX, and the Central Contractor Registry (CCR).4\n\n             For example;\n\n                     \xe2\x80\xa2   the DEBX and the CCR security policy have been in draft since\n                         1996;\n\n                     \xe2\x80\xa2   the DEBX and the CCR are operating without full implementation of\n                         security safeguards necessary to protect against sabotage, tampering,\n                         fraud, misappropriation, misuse, or release to unauthorized persons;\n                         and\n\n                     \xe2\x80\xa2   several files with superuser and group privileges5 on the DEBX and\n                         the CCR are listed.\n\n            The security agreement for EDI is still in draft and the expected completion date\n            was early January 2001. Additionally, a security test and evaluation based on\n            the new security agreement was completed on October 4, 2000. The security\n            test and evaluation disclosed 10 additional security findings. JECPO personnel\n            stated that they will attempt to correct 8 of the 10 additional findings identified\n            in the security test and evaluation results. Two of the findings disclosed in the\n            security test and evaluation that JECPO personnel expect to correct specifically\n            relate to issues discussed in this report. For example:\n\n                     \xe2\x80\xa2   although a System Security Authorization Agreement is in draft, it\n                         requires final coordination and signatures of agreement; and\n\n                     \xe2\x80\xa2   Memorandums of Agreement, Memorandums of Understanding, and\n                         Levels of Agreement have not been established with any of the\n                         interfaces to include DFAS and DISA.\n\n            As a result of this information, the DISA-designated approving authority granted\n            another extension on the EDI interim authority to operate which now expires on\n            April 30, 2001.\n\nAssessing EDI Security Controls\n            Security controls at DFAS Columbus were not reliable because JECPO and\n            DFAS have not addressed security over EDI to include performing an\n            assessment to identify the risks associated with the use of EDI or effectively\n            testing EDI controls. JECPO and DFAS had not coordinated an effort to\n\n\n\n4\n    In order to conduct business with the Federal Government at DFAS Columbus, all contractors must be\n     registered with the DISA Central Contractor Registry, regardless of whether the business is conducted\n     through EDI or on paper.\n5\n    Superusers have all privileges at all times. Group privilege is a set of users in a system that are given\n    the same access rights to the system.\n\n                                                         7\n\x0ccomplete security agreements and assess risks, validate risk assessment through\ntest and evaluation, and account for security requirements in trading partner\nagreements.\n\nEstablishing a Security Agreement and Assessing Risk. The DITSCAP\nrequires that the parties involved in a system\xe2\x80\x99s operation work together to\nestablish a security agreement that assesses the risk of using the system.\nHowever, JECPO, DFAS, and DISA personnel did not work together to verify\nthat the use of electronic commerce initiatives in DoD was secure.\n\nIn August 1998, DISA prepared a draft security agreement for EDI. Further,\nJECPO began updating the security agreement which had an expected\ncompletion date of September 2000. However, JECPO personnel stated that the\nsecurity agreement did not contain DFAS input. This is a significant oversight\nbecause DFAS relies upon correct EDI information to make contract payments.\nDFAS personnel need to know whether controls to validate that accurate\ncontract payments have been assessed by DoD. To mitigate this risk, JECPO,\nDFAS, and DISA should develop a working group or team to oversee the\npreparation of an EDI security agreement.\n\nValidating the Security Agreement through Test and Evaluation. The\nDITSCAP mandates that the security agreement and any subsequent certification\nand accreditation be validated through security test and evaluation. In\nSeptember 1999, DISA performed a security test and evaluation as a result of\nthe draft security agreement developed in August 1998. However, because the\nsecurity test and evaluation was not based upon a completed security agreement\nthat included DFAS input it is unlikely that the security test and evaluation\nsufficiently validated the risks of operating EDI at DFAS Columbus.\n\nFurther, according to JECPO officials, the 21 findings identified in the\nSeptember 1999 security test and evaluation will remain open because JECPO\nofficials believed that EDI only automated a paper intensive process and,\ntherefore, needed no additional security. As a result, JECPO has not taken\naction to correct deficiencies identified through the security test and evaluation\nand may not have tested for other weaknesses because the security agreement\nwas incomplete.\n\nJECPO conducted an EDI security test and evaluation as a result of the new\nsecurity agreement. However, JECPO did not address the 21 open findings and\ndid not include DFAS Columbus in the preparation of the new security\nagreement and the security test and evaluation. Thus, the new security test and\nevaluation will likely not validate EDI security at DFAS Columbus. JECPO\nneeds to update the security agreement to include DFAS Columbus concerns.\nJECPO should require DFAS to participate in the EDI security test and\nevaluation to determine whether the risks are acceptable.\n\nAccounting for DFAS Trading Partner Agreements. The DITSCAP states\nthat the security agreement will be the single document to address the security of\na system. However, in order to make contract payments using EDI, DFAS\nenters into trading partner agreements with contractors and other DoD personnel\n(data originating sites). Using EDI, contractors send invoices and the DoD sites\nsend receiving reports or other contract payment documentation. DFAS\nestablishes trading partner agreements with each site that submits data through\n\n                                     8\n\x0c     EDI to DFAS Columbus. Trading partner agreements state that the data\n     originating sites will maintain a certain level of security, but the trading partner\n     agreements are silent on the definition of \xe2\x80\x9ccertain level of security,\xe2\x80\x9d and what\n     security requirements should be maintained. However, once an agreement is\n     signed, no testing is performed by JECPO, DFAS, or the trading partner to\n     verify compliance with the agreement to provide security. Further, the DFAS\n     trading partner agreements need only be established and completed once, and\n     then are valid for all current and future EDI transactions.\n\n     JECPO and DFAS have no assurance that security measures have been taken by\n     the originating sites or that data provided to DFAS by those locations are\n     accurate and unaltered. JECPO should require that the trading partner\n     agreements include the security requirements contained in the EDI security\n     agreement and are validated through the EDI security test and evaluation\n     process. This will verify that EDI data are protected in accordance with the\n     DITSCAP requirements.\n\n\nStatus of EDI Security Controls\n     The controls over EDI use at DFAS Columbus did not provide reasonable\n     assurance that the system was adequately protected. As such, the EDI security\n     weaknesses increased the risk for undetected alteration or misuse. The lack of a\n     complete security agreement and a valid security test and evaluation increased\n     the risk of data inaccuracy. There is also a risk that implemented security\n     procedures may not have operated as intended as evidenced by the 31 open\n     security test and evaluation findings. Therefore, JECPO should correct all the\n     open security test and evaluation findings.\n\n\nManagement Actions\n     During the audit, we informed JECPO, DFAS, and DISA personnel that the\n     DITSCAP process should be followed for EDI. Subsequently, JECPO started to\n     prepare another draft EDI security agreement, which was completed on\n     January 1, 2001. The DISA designated approving authority granted an\n     extension on EDI interim authority to operate which now expires on April 30,\n     2001, as a result of a security test and evaluation that was completed on\n     October 4, 2000. The decision to follow the DITSCAP process is acceptable;\n     however, DFAS, which uses EDI to make payments again was not part of the\n     process. Therefore, the input of all affected stakeholders required by the\n     DITSCAP has not been met. DFAS input is necessary to validate that the risks\n     of making $40 billion in contract payments are tolerable.\n\n\nSummary\n     Managers can not attest to the reliability of EDI data until a security agreement\n     has been accomplished with all the necessary participants, the security test and\n     evaluation findings have been assessed, and security policies are contained in\n     trading partner agreements. JECPO should establish an electronic commerce\n     workgroup or team to verify that necessary security requirements are obtained\n                                          9\n\x0c     from DFAS, DISA, and data origination sites. The EDI security agreements\n     and trading partner agreements should be validated through the security test and\n     evaluation and the trading partner agreements should reflect the security\n     requirements outlined in the security agreement.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n  We recommend that the Director, Joint Electronic Commerce Program Office:\n\n            1. Update the security agreement for Electronic Data Interchange to\n               incorporate security requirements and the assessment of the risks\n               associated with using the Electronic Data Interchange to include\n               input and participation from the Defense Finance and Accounting\n               Service and the Defense Information Systems Agency.\n\n            JECPO Comments. JECPO concurred and stated that a security\n            agreement for the Defense Electronic Business Exchange, in accordance\n            with the Defense Information Technology Security Certification and\n            Accreditation Process, has been finalized and agreement was obtained\n            from all principals involved.\n\n            2. Perform an independent Electronic Data Interchange security test\n               and evaluation, based on an updated security agreement to\n               include Electronic Data Interchange users, the Defense Finance\n               and Accounting Service, and the Defense Information Systems\n               Agency.\n\n            JECPO Comments. JECPO concurred and stated that on\n            October 2 through 6, 2000, an independent security test and evaluation\n            was performed to validate all security requirements as documented in the\n            security agreement. The findings resulting from the security test and\n            evaluation are being addressed and appropriate corrective actions are\n            being implemented.\n\n            3. Incorporate the security requirements outlined in the security\n               agreement in the Defense Finance and Accounting Service trading\n               partner agreements for the data originating sites.\n\n            JECPO Comments. JECPO concurred and stated that as part of the\n            Electronic Commerce Interoperability Process, Value Added Networks,\n            and direct connect vendors, to include DFAS trading partners, must\n            agree to abide by the terms and conditions when they submit their Client\n            Application Questionnaire.\n\n            Audit Response. The formal comments from JECPO were partially\n            responsive because the Electronic Commerce Interoperability Process\n            was not a sufficient means to provide trading partners with the\n            appropriate security requirements. Subsequent to the JECPO written\n            comments, DFAS and JECPO personnel agreed that DFAS would\n            incorporate the security agreement requirements in the trading partner\n            agreements. Therefore, we request that the Joint Electronic Commerce\n                                        10\n\x0cProgram Office provide written comments that address the verbal\nagreement made by the Defense Finance and Accounting Office and the\nJoint Electronic Commerce Program Office regarding the Defense\nFinance and Accounting Service trading partner agreements.\n\n4. Initiate corrective action to close the 31 open security test and\n   evaluation findings.\n\nJECPO Comments. JECPO partially concurred and stated that the\n31 findings referenced in the report are outdated because they are the\nresult of a security test and evaluation conducted in 1999. Since the test\nin 1999, a new security test and evaluation was conducted\nOctober 2 through 6, 2000. The security test and evaluation in 2000\nresulted in 21 security findings. As of February 2001, 12 findings are\nclosed, 9 findings are open, and 5 of the 9 findings will remain open.\n\nAudit Response. Comments from JECPO are responsive. However,\nwe request that JECPO explain the impact that the remaining five\nsecurity findings will have on the security of EDI. Additionally, we\nrequest that JECPO provide an anticipated closing date for the remaining\nfive security findings.\n\n\n\n\n                            11\n\x0cAppendix A. Audit Process\nScope\n    Work Performed. We performed the audit at DFAS Arlington, DFAS\n    Columbus, and the Joint Electronic Commerce Program Office. We reviewed\n    how DFAS implemented controls for an entity-wide security program and access\n    controls for EDI. We interviewed the DFAS Columbus Information Security\n    Manager, the DFAS Columbus Terminal Area Security Officers, and the DISA\n    security representatives at the Columbus and Ogden centers to determine how\n    they implemented security over EDA and EDI. We also performed a walk-\n    through of the EDA and EDI process as it relates to MOCAS and SAMMS.\n\n    We reviewed how DFAS Columbus implemented the entity-wide security plan\n    and general security controls (access controls). We obtained and reviewed the\n    security readiness reviews performed by DISA Field Security Operations. The\n    reviews identified weaknesses and planned corrective actions for operating\n    software that supports EDI.\n\n    Limitations of Audit Scope. The audit was limited to the review of the general\n    controls. As a result of our assessment of the general controls, we determined\n    that a review of the application controls should not be conducted at this time.\n\n    DoD-Wide Corporate-Level Government Performance and Results Act\n    Goals. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. As of\n    December 2000, the Act does not provide a corporate level goal for information\n    assurance, although the General Accounting Office lists it as a high-risk area.\n    This report pertains to achievement of the following goal and subordinate\n    performance goal:\n\n           \xe2\x80\xa2   FY 2001 DoD Corporate-Level Goal 2: Prepare now for an\n               uncertain future by pursuing a focused modernization effort that\n               maintains U.S. qualitative superiority in key warfighting capabilities.\n               Transform the force by exploiting the Revolution in Military Affairs,\n               and reengineer the Department to achieve a 21st century\n               infrastructure. (01-DoD-02)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n               financial and information management. (01-DoD-2.5)\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n           \xe2\x80\xa2   Financial Management Area. Objective: Strengthen internal\n               controls. Goal: Improve compliance with the Federal Managers\n               Financial Integrity Act. (FM-5.3)\n\n                                        12\n\x0c           \xe2\x80\xa2   Information Management Technology Area. Objective: Ensure\n               that DoD vital information resources are secure and protected. Goal:\n               Assess information assurance posture of DoD operational systems.\n               (IMT-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the Department of Defense. This report\n    provides coverage of the Information Management and Technology and the\n    Defense Financial Management high-risk areas.\n\n\nMethodology\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We did not use technical assistance to perform\n    this audit.\n\n    Audit Type, Dates, and Standards. We performed this financial-related audit\n    from August 2000 through January 2001 in accordance with auditing standards\n    issued by the Comptroller General of the United States, as implemented by the\n    Inspector General, DoD. We used the General Accounting Office Federal\n    Information Systems Control Manual and the DoD Information Technology\n    Security Certification and Accreditation Process as guides for conducting this\n    general control review.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n    Scope of the Review of the Management Control Program. We reviewed the\n    adequacy of management controls in place for EDI. Specifically, we reviewed\n    the implementation of DoD policies and procedures governing EDI. We\n    reviewed management\xe2\x80\x99s self-evaluation applicable to those management\n    controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses as defined by DoD Instruction 5010.40. Management\n    controls could not ensure that the security for EDA and EDI is adequate. All\n    recommendations in this report, if implemented, will provide adequate controls\n    for ensuring that the security for EDI is adequate.\n                                         13\n\x0cA copy of this report will be provided to the senior official responsible for\nmanagement controls in ASD(C3I), DFAS Arlington, and DFAS Columbus.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. DFAS Columbus officials did\nnot identify EDI as an assessable unit and, therefore, did not identify or report\nthe material management control weaknesses identified by the audit.\n\n\n\n\n                                    14\n\x0cAppendix B. Prior Coverage\n\nGeneral Accounting Office\n    GAO Report No. GAO/AIMD 99-107 (OSD Case No. 1835), \xe2\x80\x9cDoD\n    Information Security: Serious Weaknesses Continue to Place Defense\n    Operations at Risk,\xe2\x80\x9d August 26, 1999\n\n    GAO Report No. GAO/AIMD 98-92 (no OSD case number was issued),\n    \xe2\x80\x9cInformation Security \xe2\x80\x93 Serious Weaknesses Place Critical Federal Operations\n    and Assets at Risk,\xe2\x80\x9d September 23, 1998\n\nInspector General\n    Inspector General, DoD, Report No. D-2001-029, \xe2\x80\x9cGeneral Controls Over the\n    Electronic Document Access System,\xe2\x80\x9d December 27, 2000\n\n    Inspector General, DoD, Report No. 99-103, \xe2\x80\x9cDoD Efforts to Implement\n    Year 2000 Compliance for Electronic Data Interchange,\xe2\x80\x9d March 5, 1999\n\n    Inspector General, DoD, Report No. 96-214, \xe2\x80\x9cComputer Security for the\n    Federal Acquisition Computer Network,\xe2\x80\x9d August 22, 1996\n\n\n\nAir Force\n    Air Force Audit Agency, Project No. DW000005, \xe2\x80\x9cAccounting for Selected\n    Assets and Liabilities (Fund Balance with Treasury), Fiscal Year 1998 Air\n    Force Consolidated Financial Statements, Defense Finance and Accounting\n    Service, Columbus, Columbus, OH,\xe2\x80\x9d December 8, 1999\n\n    Air Force Audit Agency, Project No. DW000003, \xe2\x80\x9cAccounting for Revenues\n    and Other Financing Sources (Disbursements), Fiscal Year 1998 Air Force\n    Consolidated Financial Statements, Defense Finance and Accounting Service -\n    Columbus, Columbus, OH,\xe2\x80\x9d November 22, 1999\n\n    Air Force Audit Agency, Project No. 97064011, \xe2\x80\x9cElectronic Data Interchange\n    Procurement Transactions,\xe2\x80\x9d December 24, 1998\n\n\n\n\n                                      15\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Joint Electronic Commerce Program Office\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nDefense Organizations\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\n   Director, Defense Finance and Accounting Service Columbus\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n\n\n\n\n                                          16\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         17\n\x0c\x0cDefense Information Systems Agency Comments\n\n\n\n\n                     19\n\x0c20\n\x0c21\n\x0c22\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD prepared this report. Personnel of Office of the Inspector General,\nDoD, who contributed to the report, are listed below.\n\nF. Jay Lane\nSalvatore D. Guli\nKimberley A. Caprio\nEric L. Lewis\nJacqueline J. Vos\nYolanda C. Watts\nTroy R. Zigler\nLisa C. Rose-Pressley\nStephen G. Wynne\n\x0c'